Understanding Data Breaches in the Foodservice Industry

The foodservice and hospitality industries have been hit particularly hard by data breaches, with hotel brands, restaurants and fast casual establishments targeted by hackers in 2017. While the average cost of a data breach in 2017 was $4 million, for larger companies and chains, those costs can skyrocket to over $50 million – not to mention the irreparable damage to the brand.

Verizon’s data breach investigation team reports that they investigated 368 incidents of data compromises at accommodation and foodservice businesses last year, 338 of which resulted in confirmed disclosure of data to unauthorized parties. And according to the company’s 2018 Data Breach Investigations Report (DBIR), point-of-sale (POS) intrusions accounted for 90% of breaches in foodservice and accommodations in 2017 – and nearly 9 out of every 10 data breaches recorded in hotels in restaurants affected a POS system.

What Do Data Breaches Mean for Foodservice?

Interestingly enough, POS intrusions were over 40 times more common at accommodation and foodservice businesses than they were in the average industry that Verizon investigated. While hackers have targeted hotel reservation systems, more often it is the restaurants and small stores on their properties that get hit.

So what are the repercussions if a restaurant or fast casual establishment gets hacked? Do long-term customers stop dining at their favorite restaurants? Do they lose trust in their favorite brands? Even when a customer is not personally affected by a data breach, they are still wary of continuing to shop or dine with that establishment, reports Business Insider.

“According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.” Just because a customer wasn’t touched by the breach doesn’t mean they don’t know a friend or neighbor that was.

Data breaches can also make consumers cautious of joining loyalty programs. The Washington Post reports that members of Panera Bread’s MyPanera program were those affected by Panera’s data breach in April – specifically, members who used it to order food online. Customer names, physical addresses, birth dates, and the last four of their credit cards on file were uncovered by hackers.

Restaurants like Panera and coffee shops like Starbucks have made it simple for customers to join loyalty programs and even order online – which can be hugely convenient. But these breaches leave consumers wondering if convenience and loyalty perks are good enough trade-offs for their privacy?

How Cyber Criminals Get Your Information

Unfortunately, despite the many big-name food service hacks over the last several years, not all restaurants and fast casual establishments have shored up their security systems.

Employees

QSR magazine believes that the increase in data breaches in foodservice can, in many cases, be traced back to employees. Employees are not always properly trained on spotting potential hacking and fraud, whether it is a counterfeit credit card or opening an email with a suspicious attachment. And one of the issues with foodservice as a whole is the high turnover in employees, which can make it difficult to properly train. Thus, the onus falls on the restaurants or chains/franchises to continuously audit which employees have access to customer information and, at the minimum, instruct employees to use strong passwords and beware of phishing attempts.

Malware

Barkely reports that malware is one of the biggest culprits when it comes to hospitality and foodservice data breaches. Once malware has found its way into a POS system, criminals can siphon clear-text credit card numbers and customer’s names if they are not encrypted. Experts suggest keeping POS systems separate from corporate networks, menu boards, and security cameras.

Software Patches and Updates

Restaurants need to stay up to date with the latest software and patches. If they don’t, it can provide an “in” for malware. As Gary Davis of McAfee says:

“In fact, many of the more harmful malware attacks we see take advantage of software vulnerabilities in common applications, like operating systems and browsers. These are big programs that require regular updates to keep safe and stable. So instead of procrastinating about software updates, see those updates as one of the most essential steps you can take when it comes to protecting your information.”

A Holistic Approach to Foodservice Payment Security is required

There are several technologies that restaurants and foodservice companies need to implement as basics in protecting their payment data:

PCI-validated Point-to-Point Encryption (P2PE) protects data in transit by encrypting cardholder data upon point of entry in the restaurant’s point of sale device. Encrypting card data upon entry prevents the data from being available in the restaurant’s system as “clear-text” where it could be exposed in the event of a data breach.

EMV authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with a PIN or their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.

Tokenization enables foodservice organizations to safely “store” cardholder data at rest for use in future transactions – making for a highly secure card on file solution. Tokenization, like P2PE, effectively renders the data useless to hackers.

Bluefin’s PCI-validated P2PE solution encrypts card data in the retail, mobile and kiosk environments through a PCI-validated P2PE device. By encrypting card data upon entry, clear-text cardholder data is not available in the foodservice operators’ system or network. Decryption is only done in Bluefin’s hardware environment.

Bluefin provides our P2PE food industry payment solution through:

Point of sale devices: Bluefin provides PCI-validated P2PE for major restaurants and fast casual establishments through our large network of Decryptx partners, which includes Verfione, NCR, CyberSource, USAePay, Merchant Link and more. We have the largest array of PCI P2PE certified countertop devices from Ingenico, Verifone, Miura and more.

By clicking to subscribe, you are agreeing to our privacy policy. You can unsubscribe at any time by clicking “Unsubscribe” on the newsletter.
We use MailChimp as our marketing platform. By clicking to subscribe, you acknowledge that your information will be transferred to MailChimp for processing. Learn more about MailChimp's privacy practices here.